Hostile Takeover of The DAO What can we do?

Abstract: The frequency of DAO acquisitions will increase as larger and more established players and institutions enter the space. We will go through several recent examples and a hypothetical example of the hostile takeover of the Lido DAO (LDO) and the subsequent vampire attack on the Lido liquidity staking pool.

Recent hostile takeovers

The increase in DeFi-centric DAOs with large capital, which may lead to hostile governance takeovers Try more often. Extremely low governance participation (mostly driven by speculative investors) forces DAOs to accept lower thresholds for proposal approval.

At the beginning of April, DAO funds have reached nearly 13 billion US dollars, an increase of 4 billion US dollars from the previous month. While we haven’t seen a slew of acquisitions yet, two examples from the past few months portend some experimentation as value in the DAO space reaches unprecedented levels.

DeepDAO.io (4/4/22)

In mid-February, Build Finance suffered a governance takeover that the attacker successfully passed Voting, handing over full control of governance contracts, minting keys, and vaults to others. After a failed attempt, the attacker sends BUILD tokens to another wallet and submits a takeover proposal again. By disabling gitbook and the proposal bot, and having enough tokens to reach the minimum approval, the attacker successfully passed the proposal, created 1.1 million BUILD, and drained the LP pools on Uniswap and Balancer, with a profit of $500,000.

Build Finance's on-chain governance model allows one proposal to transfer ownership of a single smart contract to mint Build tokens and control the vault. Other DAOs use a combination of off-chain voting and committee-controlled multi-signature wallets to make on-chain and off-chain decisions. These governance settings can defend against apparently malicious proposals (e.g., via a multi-signature veto), but have other assumptions of trust and risk malicious key holders changing the protocol against the will of the community. Last December, members of FortressDAO (a fork of Olympus) approved a proposal to create FUSD (a new yield-yielding stablecoin) from the Fortress vault (about $14 million at the time). While the community believes they can control the distribution of FUSD, in reality, Eisenberg, the sole technician and controller of the keys, has full control over the FUSD in the vault.

Assuming that a small group of key holders adhere to a multi-signature governance structure also introduces unnecessary risk. Ideally, governance should happen on-chain, and accepted proposals should be executable code that interacts directly with existing marketplaces, or adding newly supported tokens from standardized templates. However, self-executing proposals create an opportunity for cumulative holders of DAO tokens to prudently submit and approve irreversible proposals that could drain their coffers or otherwise act maliciously. The low percentage of DAO token holders actively voting on proposals (historically below 10%) means these acquisitions are easier than one might think.

Hypothetical Takeover Example - Lido DAO

For entertainment, we'll look at a hypothetical Lido DAO takeover example, and the subsequent The vampire attack of the liquid pledge pool. Lido is a Liquid staking protocol on Ethereum. Lido pledged nearly 3 billion ETH, which accounts for more than 80% of all liquid staking balances in the network, and more than 27% of all ETH staking in validators and pools. ETH deposits in the Lido liquidity staking pool can be rewarded with stETH, which can be deposited into the LP pool on Curve or used as collateral in lending protocols such as Aave, Maker, Compound, and Alpha. Liquidity staking provides ETH holders with much-needed liquidity and allows holders to earn additional rewards on top of Lido pool rewards. Even large stakers who are able to run their own validator nodes have little incentive to do so given the economic risks, except for altruistic reasons (such as providing security to the network).

There are currently 104 million LDO tokens in circulation (the circulating market cap is approximately $463 million). Token holders can vote on a number of proposals, including approving incentives for parties that contribute to achieving the DAO’s goals (e.g., stETH liquidity providers). In addition to 50% approval, approval of at least 5% of the total token supply is required for a proposal to pass. since SUSHI - Since the Uniswap incident, the DAO tokens required to approve liquidity providers have largely prevented vampire attacks. However, with a sufficiently large economic incentive, DAO acquisitions become a possibility of liquidity drying up.

In our case, it is unrealistic to assume that an attacker with 5% of the token supply can pass a malicious proposal. However, due to the low percentage of holder votes, we may only need 10% of the LDO token supply ($46.3 million) for approval without a huge community effort to incentivize “no” votes. Our attacker can launch a new DeFi protocol and approve a proposal in the Lido DAO for acceptance of this new protocol in the Lido ecosystem. The protocol can then launch a new token that will be issued to users who deposit stETH (i.e. something like $SUSHI in exchange for Uniswap LP tokens). With a high enough incentive, this new protocol will see massive stETH deposits, which can then be used to exchange ETH in Lido pools. By draining these pools, attackers can quickly accumulate nearly 30% of the ETH stake in the network.

This is highly unlikely for a number of reasons. First, it would require an upfront cost of $50 million to get enough votes to pass a proposal. Second, the exchange rate between stETH and the token of the new protocol will be very low unless the token appreciates significantly after launch (or a full-fledged DeFi project executes this strategy with a token of value). Third, the negative public perception of the attempt could limit stETH deposits and destroy the native token value.

Preventing DAO Takeovers

However, with many DAO libraries rapidly amassing huge sums of money, the risk of malicious governance takeovers in the DeFi space is definitely increasing . Creating a governance structure that prevents takeover attempts while maintaining the decentralized spirit of DeFi is a tricky proposition.

Governance should happen on-chain, and proposals should include automated code execution where possible - in most cases, the multi-signature compliance risk is greater than the risk of centralized token accumulation.

Automated proposals should conform to a standardized template voted on by the community.

Analytical tools should be implemented to assess proposal compliance (to guide less technically savvy members) and monitor proposal activity (eg DAO analyzer).

An adequately defensive bot or tool should be introduced to increase proposal awareness to prevent malicious proposals from passing.

The DAO token limit on the wallet (eg 5% of the total supply) can be written to the contract. In practice, this presents some challenges in the initial token distribution, but can be based on time or reduced limits on vault growth (eg 20% -> 5%).

In a new field like the DAO, growing pains are to be expected. However, DAOs that manage large vaults should take appropriate precautions to ensure funds are safe and the protocol is protected from malicious actors. We are likely to see more hostile governance takeovers as the number of established market players with significant capital increases. As DAOs increasingly manage value at the same level as their TradFi counterparts, thoughtful implementation of governance structures and suites of analytical tools to mitigate these risks will likely become increasingly important.

source: Hostile Takeover of The DAO What can we do?

https://images.google.vu/url?q=https://www.zaker.tv/article/DAO/7911.html

https://maps.google.com.mm/url?q=https://www.zaker.tv/article/DAO/7911.html

https://images.google.bi/url?q=https://www.zaker.tv/article/DAO/7911.html

https://www.ertec-g.co.jp/main.php?url=https://www.zaker.tv/article/DAO/7911.html

https://dealers.webasto.com/UnauthorizedAccess.aspx?Result=denied&Url=https://www.zaker.tv/article/DAO/7911.html

评论

发表评论

此博客中的热门博文

Football media platform OneFootball closes $300 million Series D financing and forms joint venture with Animoca Brands

Football media platform OneFootball completes $300 million Series D round to drive its global expansion and move towards Web3, led by Liberty City Ventures, with participation from Animoca Brands, Dapper Labs, DAH Beteiligungs GmbH , Quiet Capital, RIT Capital Partners, Senator Investment Group and Alsara Investment Group, among others. In addition, Animoca Brands has formed a joint venture, OneFootball Labs, with OneFootball. OneFootball Labs will enable clubs, leagues and players to issue blockchain-based digital assets, driving the mass adoption of blockchain technology in football. Animoca Brands will assist OneFootball in creating new products and services that will expand digital fans and create new revenue streams for the football industry. OneFootball will launch Aera, an NFT marketplace, this month in partnership with Animoca Brands and Dapper Labs. Built on the Flow network, Aera is an NFT marketplace for football fans. source: Football me...
阅读全文

Project Galaxy allows users to check the number of GAL airdrops on May 1, and will be available for collection on May 5

Web3 is the credential data network Project Galaxy said that from May 1st, users will be able to check the number of GAL airdrops that can be claimed on the galaxy.eco website, and the tokens will be released at 19:00 on May 5th Open for pickup. The majority of the airdrop for early adopters has been distributed to Galaxy NFT holders (including holders of Galaxy Girl NFT, Meta Cowboy NFT, Shadowy Coder NFT and Dr. SOL NFT), snapshot was taken on April 28 at 16:00 Finish. In addition, a total of 63,100 GAL tokens will be distributed to Galaxy Brains and Galaxy Pathfinders who have been supporting the Galaxy community. A total of 79,000 GAL tokens will be airdropped directly to 100 Project Galaxy partners. source: Project Galaxy allows users to check the number of GAL airdrops on May 1, and will be available for collection on May 5 https://eridan.websrvcs.com/System/Login.asp?id=48747&Referer=https://zaker.tv/article/NewsFlash/17451.html https://www.loome.n...
阅读全文

Detailed explanation of the Web3 credential data network Project Galaxy operating mechanism and token model

图片
Graduation certificates can prove the colleges we have attended, award certificates can prove our honors, professional skills certificates can prove our ability to work, these labels are connected in series enough to describe our life trajectory. Not only that, in the game we have the proof of rank, we have the proof of experience in the work, even when we swipe the video, we will be pushed by big data to meet our interests and preferences, and our mark proof is hidden behind it. The trajectories of the lives of thousands of people constitute a string of data credentials that belong to us. However, these credentials are isolated in a relatively closed database. Our educational credentials reside in official institutions, credit records reside in financial institutions, and habits in an app are only reflected where relevant. In addition to these scenarios that exist in our daily life, we also need such credentials on the chain. When a user makes a ...
阅读全文